Chapter 14
In This Chapter
Attacking e-mail systems
Assailing instant messaging
Assaulting Voice over IP applications
Communication systems such as e-mail and Voice over IP (VoIP) often create vulnerabilities that people overlook. Why? Well, from my experience, messaging software — both at the server and client level — is vulnerable because network administrators often believe that firewalls and antivirus software are all that’s needed to keep trouble away, or they simply forget about securing these systems altogether.
In this chapter, I show you how to test for common e-mail and VoIP issues. I also outline key countermeasures to help prevent these hacks against your systems.
Practically all messaging applications are hacking targets on your network. Given the proliferation and business dependence on e-mail, just about anything is fair game. Ditto with VoIP. It’s downright scary what people with ill intent can do with it.
With messaging systems, one underlying weaknesses is that many of the supporting protocols weren’t designed with security in mind — especially those developed several decades ago when security wasn’t nearly the issue it is today. The funny thing is that even modern-day messaging protocols — or at least the implementation of the protocols — are still susceptible to serious security problems. Furthermore, convenience and usability often outweigh the need for security.
Many attacks against messaging systems are just minor nuisances; others can inflict serious harm on your information and your organization’s reputation. Malicious attacks against messaging systems include the following:
These attacks can lead to such problems as unauthorized — and potentially illegal — disclosure of sensitive information, as well as loss of information altogether.
The following attacks exploit the most common e-mail security vulnerabilities I’ve seen. The good news is that you can eliminate or minimize most of them to the point where your information is not at risk. Some of these attacks require the basic hacking methodologies: gathering public information, scanning and enumerating your systems, and finding and exploiting the vulnerabilities. Others can be carried out by sending e-mails or capturing network traffic.
E-mail bombs attack by creating denial of service (DoS) conditions against your e-mail software and even your network and Internet connection by taking up a large amount of bandwidth and, sometimes, requiring large amounts of storage space. E-mail bombs can crash a server and provide unauthorized administrator access — yes, even with today’s seemingly endless storage capacities.
An attacker can create an attachment-overload attack by sending hundreds or thousands of e-mails with very large attachments to one or more recipients on your network.
Attachment attacks have a couple of goals:
Storage overload: Multiple large messages can quickly fill the total storage capacity of an e-mail server. If the messages aren’t automatically deleted by the server or manually deleted by individual user accounts, the server will be unable to receive new messages.
This can create a serious DoS problem for your e-mail system, either crashing it or requiring you to take your system offline to clean up the junk that has accumulated. A 100MB file attachment sent ten times to 100 users can take 100GB of storage space. That can add up!
These countermeasures can help prevent attachment-overload attacks:
Limit each user’s space on the server. This denies large attachments from being written to disk. Limit message sizes for inbound and even outbound messages should you want to prevent a user from launching this attack from inside your network. I find a few gigabytes is a good limit, but it all depends on your network size, storage availability, business culture, and so on, so think through this one carefully before putting anything in place.
Consider using SFTP or HTTP instead of e-mail for large file transfers. There are numerous cloud-based file transfer services available such as Dropbox and Box. You can also encourage your users to use departmental shares or public folders. By doing so, you can store one copy of the file on a server and have the recipient download the file on his or her own workstation.
A hacker can send a huge number of e-mails simultaneously to addresses in your e-mail system. Malware that’s present on your network can do the same thing from inside your network if there’s an open Simple Mail Transfer Protocol (SMTP) relay on your network (which is often the case). (More about that follows.) These connection attacks can cause the server to give up on servicing any inbound or outbound TCP requests. This situation can lead to a complete server lockup or a crash, often resulting in a condition in which the attacker is allowed administrator or root access to the system.
An attack using a flood of e-mails is often carried out in spam attacks and other denial of service attempts.
Prevent e-mail attacks as far out on your network perimeter as you can. The more traffic or malicious behavior you keep off your e-mail servers and clients, the better.
Many e-mail servers allow you to limit the number of resources used for inbound connections, as shown in the Maximum number of simultaneous threads setting for IceWarp e-mail server in Figure 14-1. This setting is called different things for different e-mail servers and e-mail firewalls, so check your documentation. Completely stopping an unlimited number of inbound requests can be impossible. However, you can minimize the impact of the attack. This setting limits the amount of server processor time, which can help during a DoS attack.
Even in large companies, or if you’re using a cloud-based e-mail service such as Office 365, there’s likely no reason that thousands of inbound e-mail deliveries should be necessary within a short time period.
You can implement the following countermeasures as an additional layer of security for your e-mail systems:
When hacking an e-mail server, a hacker’s first order of business is performing a basic banner grab to see whether he can discover what e-mail server software is running. This is one of the most critical tests to find out what the world knows about your SMTP, POP3, and IMAP servers.
Figure 14-2 shows the banner displayed on an e-mail server when a basic telnet connection is made on port 25 (SMTP). To do this, at a command prompt, simply enter telnet ip or_hostname_of_your_server 25. This opens a telnet session on TCP port 25.
The e-mail software type and server version are often very obvious and give hackers some ideas about possible attacks, especially if they search a vulnerability database for known vulnerabilities of that software version. Figure 14-3 shows the same e-mail server with its SMTP banner changed from the default (okay, the previous one was, too) to disguise such information as the e-mail server’s version number.
There isn’t a 100 percent secure way of disguising banner information. I suggest these banner security tips for your SMTP, POP3, and IMAP servers:
www.cisecurity.org
) and NIST (http://csrc.nist.gov
).Some attacks exploit weaknesses in SMTP. This e-mail communication protocol — which is over three decades old — was designed for functionality, not security.
A clever way that attackers can verify whether e-mail accounts exist on a server is simply to telnet to the server on port 25 and run the VRFY command. The VRFY — short for verify — command makes a server check whether a specific user ID exists. Spammers often automate this method to perform a directory harvest attack (DHA), which is a way of gleaning valid e-mail addresses from a server or domain so hackers know whom to send spam, phishing, or malware-infected messages to.
Figure 14-5 shows how easy it is to verify an e-mail address on a server with the VRFY command enabled. Scripting this attack can test thousands of e-mail address combinations.
The SMTP command EXPN — short for expand — might allow attackers to verify what mailing lists exist on a server. You can simply telnet to your e-mail server on port 25 and try EXPN on your system if you know of any mailing lists that might exist. Figure 14-6 shows how the result might look. Scripting this attack and testing thousands of mailing list combinations is simple.
Another way to somewhat automate the process is to use the EmailVerify program in TamoSoft’s Essential NetTools (www.tamos.com/products/nettools
). As shown in Figure 14-7, you simply enter an e-mail address, click Start, and EmailVerify connects to the server and pretends to send an e-mail.
Yet another way to capture valid e-mail addresses is to use theHarvester (https://github.com/laramies/theHarvester
) to glean addresses via Google and other search engines. As I outline in Chapter 9, you can download Kali Linux from www.kali.org
to burn the ISO image to CD or boot the image directly through VMware or VirtualBox. In the Kali Linux GUI, simply choose Applications ⇒ Information Gathering ⇒ SMTP Analysis ⇒ smtp-user-enum and enter smtp-user-enum –M VRFY –u <user name you wish to confirm> -t server IP/hostname , as shown in Figure 14-8.
You can customize smtp-user-enum queries as well using, for example, EXPN in place of VRFY and –U and a list of user names in a file to query more than one user. Simply enter smtp-user-enum for all the search options.
If you’re running Exchange, account enumeration won’t be an issue. If you’re not running Exchange, the best solution for preventing this type of e-mail account enumeration depends on whether you need to enable the VRFY and EXPN commands:
Finally, work with your marketing team and web developers to ensure that company e-mail addresses are not posted on your organization’s website or on social media websites. Also, educate your users about not doing this.
SMTP relay lets users send e-mails through external servers. Open e-mail relays aren’t the problem they used to be, but you still need to check for them. Spammers and criminal hackers can use an e-mail server to send spam or malware through e-mail under the guise of the unsuspecting open-relay owner.
Here are a couple of easy ways to test your server for SMTP relay:
Windows-based tools: One example is NetScanTools Pro (www.netscantools.com
). You can run an SMTP Relay check on your e-mail server with NetScanTools Pro, as shown in Figure 14-9.
Although some SMTP servers accept inbound relay connections and make it look like relaying works, this isn’t always the case because the initial connection might be allowed, but the filtering actually takes place behind the scenes. Check whether the e-mail actually made it through by checking the account you sent the test relay message to.
In NetScanTools Pro, you simply enter values for the SMTP mail server name and Your Sending Domain Name. Inside Test Message Settings, enter the Recipient Email Address and Sender’s Email Address. If the test is successful, NetScanTools Pro will open a window that says “Message Sent Successfully.”
You can also view the results in the main SMTP Server Tests window and generate a formal report by simply clicking View Results in a Web Browser and then clicking View Relay Test Results.
You can manually test your server for SMTP relay by telnetting to the e-mail server on port 25. Follow these steps:
Telnet to your server on port 25.
You can do this in two ways:
www.vandyke.com/products/securecrt/index.html
). telnet mailserver_address 25
You should see the SMTP welcome banner when the connection is made.
Enter a command to tell the server, “Hi, I’m connecting from this domain.”
After each command in these steps, you should receive a different-numbered message, such as 999 OK. You can ignore these messages.
Enter a command to tell the server your e-mail address.
For example:
mail from:[email protected]
You can use any e-mail address in place of [email protected]
.
Enter a command to tell the server who to send the e-mail to.
For example:
rcpt to:[email protected]
Again, any e-mail address will suffice.
Enter a command to tell the server that the message body is to follow.
For example:
data
A relay test!
End the command with a period on a line by itself.
You can enter ? or help at the first telnet prompt to see a list of all the supported commands and, depending on the server, get help on the use of the commands.
The final period marks the end of the message. After you enter this final period, your message will be sent if relaying is allowed.
Look for a message similar to Relay not allowed coming back from the server.
If you get a message similar to this, SMTP relaying is either not allowed on your server or is being filtered because many servers block messages that appear to originate from the outside yet come from the inside.
You might get this message after you enter the rcpt to: command.
If you don’t receive a message from your server, check your Inbox for the relayed e-mail.
If you receive the test e-mail you sent, SMTP relaying is enabled on your server and probably needs to be disabled. The last thing you want is to let spammers or other attackers make it look like you’re sending tons of spam, or worse, to be blacklisted by one or more of the blacklist providers. Ending up on a blacklist can disrupt e-mail sending and receiving — not good for business!
You can implement the following countermeasures on your e-mail server to disable or at least control SMTP relaying:
If your e-mail client and server are configured with typical defaults, a malicious attacker might find critical pieces of information:
Figure 14-10 shows the header information revealed in a test e-mail I sent to my free web account. As you can see, it shows off quite a bit of information about my e-mail system:
The best countermeasure to prevent information disclosures in e-mail headers is to configure your e-mail server or e-mail firewall to rewrite your headers, by either changing the information shown or removing it. Check your e-mail server or firewall documentation to see whether this is an option.
If header rewriting is not available (or even allowed by your ISP), you still might prevent the sending of some critical information, such as server software version numbers and internal IP addresses.
E-mail traffic, including usernames and passwords, can be captured with a network analyzer or an e-mail packet sniffer and reconstructor.
If traffic is captured, a hacker or malicious insider can compromise one host and potentially have full access to another adjacent host, such as your e-mail server.
E-mail systems are regularly attacked by such malware as viruses and worms. One of the most important tests you can run for malware vulnerability is to verify that your antivirus software is actually working.
EICAR offers a safe option for checking the effectiveness of your antivirus software. Although EICAR is by no means a comprehensive method of testing for malware vulnerabilities, it serves as a good, safe start.
EICAR is a European-based malware think tank that has worked in conjunction with anti-malware vendors to provide this basic system test. The EICAR test string transmits in the body of an e-mail or as a file attachment so that you can see how your server and workstations respond. You basically access (load) this file — which contains the following 68-character string — on your computer to see whether your antivirus or other malware software detects it:
X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
When you run this test, you may see results from your antivirus software similar to Figure 14-11.
The following countermeasures help keep messages as secure as possible.
The right software can neutralize many threats:
Encrypt (where’s it reasonable). You can use S/MIME or PGP to encrypt sensitive messages or use e-mail encryption at the desktop level or the server or e-mail gateway. Better yet (i.e. an easier means), you can also use TLS via the POP3S, IMAPS, and SMTPS protocols. The best option may be to use an e-mail security appliance or cloud service that supports the sending and receiving of encrypted e-mails via a web browser over HTTPS.
Don’t depend on your users to encrypt messages. As with any other security policy or control, relying on users to make security decisions often ends poorly. Use an enterprise solution to encrypt messages automatically instead.
Make sure that encrypted files and e-mails can be protected against malware.
Some simple operating rules can keep your walls high and the attackers out of your e-mail systems:
www.postfix.org
) or qmail (www.qmail.org
).A widely-used technology in enterprises today is Voice over IP (VoIP). Whether it’s in-house VoIP systems or systems for remote users, VoIP servers, soft phones, and other related components have their own set of security vulnerabilities. Like most things security-related, many people haven’t thought about the security issues surrounding voice conversations traversing their networks or the Internet — but it certainly needs to be on your radar. Don’t fret — it’s not too late to make things right. Just remember, though, that even if protective measures are in place, VoIP systems need to be included as part of your overall security testing strategy on a continuous basis.
As with any technology or set of network protocols, the bad guys are always going to figure out how to break in. VoIP is certainly no different. In fact, given what’s at stake (phone conversations and phone system availability), there’s certainly a lot to lose.
VoIP-related systems are no more (or less) secure than other common computer systems. Why? It’s simple. VoIP systems have their own operating system, they have IP addresses, and they’re accessible on the network. Compounding the issue is the fact that many VoIP systems house more intelligence — a fancy word for “more stuff that can go wrong” — which makes VoIP networks even more hackable.
On one hand, VoIP systems have vulnerabilities very similar to other systems I cover in this book, including
That’s why using the standard vulnerability scanning tools I cover is important. Figure 14-12 shows various vulnerabilities associated with the authentication mechanism in the web interface of a VoIP adapter.
Looking at these results, apparently this device is just a basic web server. That’s exactly my point — VoIP systems are nothing more than networked computer systems that have vulnerabilities that can be exploited.
On the other hand, two major security weaknesses are tied specifically to VoIP. The first is that of phone service disruption. Yep, VoIP is susceptible to denial of service just like any other system or application. VoIP is as vulnerable as the most timing-sensitive applications out there, given the low tolerance folks have for choppy and dropped phone conversations (cellphones aside, of course). The other big weakness with VoIP is that voice conversations are usually not encrypted and thus can be intercepted and recorded. Imagine the fun a bad guy could have recording conversations and blackmailing his victims. This is very easy on unsecured wireless networks, but as I show in the upcoming “Capturing and recording voice traffic” section, it’s also pretty simple to carry out on wired networks.
Unlike typical computer security vulnerabilities, these issues with VoIP aren’t easily fixed with simple software patches. These vulnerabilities are embedded into the Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP) that VoIP uses for its communications. The following are two VoIP-centric tests you should use to assess the security of your voice systems.
Outside the basic network, OS, and web application vulnerabilities, you can uncover other VoIP issues if you use the right tools. The good news is that you likely already have these tools at your disposal in the form of network vulnerability scanners such as Nexpose (www.rapid7.com/products/nexpose
) and web vulnerability scanners such as Netsparker (www.netsparker.com
). Common flaws in the VoIP call managers and phones include weak passwords, cross-site scripting, and missing patches that can be exploited using a tool such as Metasploit.
If you have access to the wired or wireless network, you can capture VoIP conversations easily. This is a great way to prove that the network and the VoIP installation are vulnerable. There are many legal issues associated with tapping into phone conversations, so make sure you have permission and are careful not to abuse your test results.
You can use Cain & Abel (technically just Cain for the features I demonstrate here) to tap into VoIP conversations. You can download Cain & Abel free at www.oxid.it/cain.html
. Using Cain’s ARP poison routing feature, you can plug in to the network and have it capture VoIP traffic:
Load Cain & Abel and then click the Sniffer tab to enter the network analyzer mode.
The Hosts page opens by default.
Click the Start/Stop APR icon (which looks like the nuclear waste symbol).
The ARP poison routing process starts and enables the built-in sniffer.
Click the white space under the uppermost Status column heading (just under the Sniffer tab).
This step re-enables the blue + icon.
Select your default route or other host that you want to capture packets traveling to and from.
I just select my default route, but you might consider selecting your SIP management system or other central VoIP system. The right column fills with all the remaining hosts.
In the right column, Ctrl+click the system you want to poison to capture its voice traffic.
In my case, I select my VoIP network adapter, but you might consider selecting all your VoIP phones.
Click OK to start the ARP poisoning process.
This process can take anywhere from a few seconds to a few minutes depending on your network hardware and each host’s local TCP/IP stack.
Click the VoIP tab and all voice conversations are “automagically” recorded.
Here’s the interesting part — the conversations are saved in .wav audio file format, so you simply right-click the recorded conversation you want to test and choose Play, as shown in Figure 14-13. Note that conversations being recorded show Recording … in the Status column.
The voice quality with Cain and other tools depends on the codec your VoIP devices use. With my equipment, I find the quality is marginal at best. That’s not really a big deal, though, because your goal is to prove there’s a vulnerability — not to listen in on other people’s conversations.
There’s also a Linux-based tool called vomit (http://vomit.xtdnet.nl
) — short for voice over misconfigured Internet telephones — that you can use to convert VoIP conversations into .wav files. You first need to capture the actual conversation by using tcpdump, but if Linux is your preference, this solution offers basically the same results as Cain, outlined in the preceding steps.
These VoIP vulnerabilities are only the tip of the iceberg. New systems, software, and related protocols continue to emerge, so it pays to remain vigilant, helping to ensure your conversations are locked down from those with malicious intent. Like I’ve said before, if it has an IP address or a URL, it’s fair game for attack.
Locking down VoIP can be tricky. You can get off to a good start, though, by segmenting your voice network into its own VLAN — or even a dedicated physical network if that fits into your budget. Further isolate any Internet-connected systems so that not just anyone can connect to them (I see this often). You should also make sure that all VoIP-related systems are hardened according to vendor recommendations and widely accepted best practices (such as NIST’s SP800-58 document at http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
) and that software and firmware are patched on a periodic and consistent basis.
13.59.209.131